The easiest way to understand BIMI is to look at who's already using it. We pulled live data from the nslookup.io MCP server to show you what real VMC deployments look like.
Data retrieved live from the nslookup.io MCP API · March 2026
BIMI (Brand Indicators for Message Identification) displays your brand logo next to emails in the inbox. It's what makes an Amazon or PayPal email immediately recognisable — that logo appears before you even read the subject line.
It sounds simple, but the system behind it involves four separate layers that all need to be working simultaneously. If any layer breaks, the logo disappears silently. That's why having a checker — rather than just publishing the DNS record and hoping — matters.
Your domain must have DMARC at p=quarantine or p=reject. A p=none policy is not sufficient for any inbox provider. This is the non-negotiable foundation — without it, nothing else matters.
A TXT record at default._bimi.yourdomain.com that points to your SVG logo and optionally your mark certificate (VMC or CMC). The record format is simple but the SVG requirements are strict.
Required by Gmail and Apple Mail. A VMC requires a registered trademark. A CMC doesn't. Both are digital certificates that link your logo to your organisation, issued by an accredited CA.
The SVG must use the Tiny PS (Portable/Secure) subset — no scripts, no external references, square aspect ratio, solid background, served over HTTPS. Most CAs validate the SVG before issuing the certificate.
This is the question everyone asks. The short answer: if you have a registered trademark, get a VMC. If you don't — or you want to move faster and spend less — get a CMC. Both work in Gmail and Apple Mail.
| Feature | VMC — Verified Mark Certificate | CMC — Common Mark Certificate |
|---|---|---|
| Registered trademark required | Yes | Not required |
| Gmail logo display | Yes | Yes |
| Apple Mail logo display | Yes | Yes |
| Yahoo Mail | Yes | Yes |
| Validation process | Trademark + legal verification | Domain control + org verification |
| Typical cost | $1,000–$1,500 / year | $200–$400 / year |
| Issuance time | 1–3 weeks | 2–5 business days |
| Who issues it | DigiCert, Entrust only | DigiCert, Entrust, and others |
| Best for | Enterprise brands with trademark portfolios | SMBs, startups, non-profits, fast movers |
Before the CMC existed, the VMC requirement locked out most of the market — trademark registration takes 6–18 months and the cost was prohibitive for smaller organisations. CMCs changed that. If you're a startup, a non-profit, a government agency, or simply want to deploy BIMI quickly before committing to a trademark, CMC is the right path. You get the same Gmail logo as the Fortune 500 brands, at a fraction of the cost and time.
VMC and CMC certificates are standard X.509 certificates with additional extensions carrying trademark data. If you need to inspect one without using our tool:
# Fetch the certificate from the URL in your BIMI record: curl -s https://your-domain.com/cert.pem | openssl x509 -noout -text # Key fields to look for: # Subject: O=Your Company Name # Validity: Not After date (your expiry) # X509v3 extensions: trademark country and number
BIMI isn't something you flip on overnight — it builds on email authentication infrastructure that takes a few weeks to harden. Here's the honest path.
Publish SPF and configure DKIM signing on all your email sources. Then add a DMARC record at p=none with a reporting email address. Watch the DMARC reports for 2–4 weeks. You need to understand every source that's sending on your domain before you enforce.
; Start here (p=none is fine while you monitor): _dmarc.example.com TXT "v=DMARC1; p=none; rua=mailto:[email protected]" ; Once you understand your mail flows, move to enforcement: _dmarc.example.com TXT "v=DMARC1; p=reject; rua=mailto:[email protected]"
Your logo needs to be a square (1:1 ratio) SVG using the Tiny PS subset. That means no JavaScript, no external images, no linked fonts, and a solid background colour. If your existing SVG was created in Figma or Illustrator for web use, it almost certainly needs adjustments. The BIMI group provides a validator at their website — run your logo through it before paying for a certificate.
For a VMC: contact DigiCert or Entrust with your trademark registration certificate. They'll verify ownership of the mark before issuing. For a CMC: the process is similar to an OV SSL certificate — domain control and organisational verification. Either way, you'll receive a .pem file to host on your server.
Add a TXT record at default._bimi.yourdomain.com:
default._bimi.example.com TXT "v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/cert.pem" ; l= is your SVG logo URL (must be HTTPS) ; a= is your VMC or CMC certificate URL (the .pem file)
Then verify with our checker above — it will fetch the record, validate the logo URL, and decode the certificate.
Send a test email to a Gmail account and an Apple Mail account. Check that the logo appears. Propagation can take up to 48 hours after DNS changes. If the logo isn't showing after 48 hours, run the BIMI checker again to confirm the record is being read correctly — our tool checks from multiple locations to rule out caching.
VMC and CMC certificates expire annually. Your SVG logo URL can go down. Your DMARC policy can accidentally get changed. Set up monitoring so you're alerted before any of this breaks — not after your logo disappears from a thousand inboxes.
If you're building tooling, running automated checks, or using an AI assistant that supports MCP, you can query BIMI records and decode VMC/CMC certificates programmatically. This is something most BIMI checkers don't offer — and it's one of the things that makes nslookup.io different.
GET https://api.nslookup.io/v1/bimi?domain=amazon.com
Authorization: Bearer YOUR_API_KEY
# Returns:
{
"domain": "amazon.com",
"status": "valid",
"bimiRecord": "v=BIMI1; l=https://...; a=https://...",
"logoUrl": "https://d3frv9g52qce38.cloudfront.net/...",
"certType": "VMC",
"issuer": "DigiCert Verified Mark RSA4096 SHA256 2021 CA1",
"subject": "Amazon Web Services, Inc.",
"trademarkCountry": "US",
"trademarkNumber": "7055660",
"validTo": "2027-02-02T23:59:59.000Z",
"daysUntilExpiry": 313
}The nslookup.io MCP server lets you check BIMI records directly from Claude, Cursor, or any AI tool that supports MCP. Instead of writing API integration code, you just ask in natural language:
# Add to your MCP config (Claude Desktop, Cursor, etc.):
{
"mcpServers": {
"nslookup": {
"url": "https://mcp.nslookup.io/mcp"
}
}
}
# Then ask your AI tool:
# "Check the BIMI record for paypal.com and tell me
# when the VMC certificate expires"
# → Returns live data including certificate decodeThis is particularly useful for email deliverability audits — you can check BIMI, DMARC, SPF, DKIM, and MX records for a domain in a single AI conversation, without switching between multiple tools or writing any code.
BIMI adoption varies significantly by provider. Before investing in a VMC or CMC, know which providers your audience actually uses.
| Inbox provider | BIMI supported | VMC required | CMC accepted | Logo without cert |
|---|---|---|---|---|
| Gmail (Google) | Yes | Yes | Yes | No |
| Apple Mail (iOS & macOS) | Yes | Yes | Yes | No |
| Yahoo Mail | Yes | No | No | Yes |
| Fastmail | Yes | No | No | Yes |
| Outlook / Microsoft 365 | Partial | Own system | No | Own system |
| Proton Mail | In progress | — | — | — |
Microsoft runs its own brand logo system for Outlook that doesn't use the standard BIMI/VMC approach. If Microsoft 365 is important to your audience, you'll need to register separately via their partner program.
BIMI (Brand Indicators for Message Identification) is an email standard that displays your brand's logo in the inbox next to authenticated emails. It combines DMARC enforcement (so only legitimate senders can use your domain), a DNS record pointing to your SVG logo, and optionally a VMC or CMC certificate that validates your brand identity. Gmail and Apple Mail require the certificate. Yahoo and Fastmail show logos without one.
A VMC (Verified Mark Certificate) is a certificate that links your brand logo to a verified registered trademark. It's issued only by DigiCert or Entrust after they verify your trademark registration with the relevant national trademark office. The process takes 1–3 weeks. Cost is typically $1,000–$1,500 per year. You need an existing registered trademark — the VMC doesn't create one for you. If you don't have a trademark, consider a CMC instead.
A CMC (Common Mark Certificate) doesn't require a registered trademark — you just need to verify domain control and basic organisational information. CMCs are accepted by Gmail and Apple Mail for BIMI logo display. They cost around $200–$400 per year and can be issued in 2–5 business days. For most organisations without existing trademark portfolios, CMC is the faster and more practical path to BIMI.
There are five common causes: (1) You don't have a VMC or CMC — Gmail requires one; (2) Your DMARC policy is at p=none — it must be p=quarantine or p=reject; (3) Your VMC or CMC has expired; (4) Your SVG logo URL is returning a 404 or other error; (5) Your SPF or DKIM is failing, which breaks DMARC alignment. Use the checker above — it validates each layer and tells you exactly which one is broken.
No — not anymore. You need a trademark for a VMC, but the CMC path (accepted by Gmail and Apple Mail) doesn't require trademark registration. If you want BIMI logo display in Gmail without the cost or time of trademark registration, get a CMC.
Yes. nslookup.io offers a REST API that returns full BIMI record data and decodes VMC/CMC certificates in JSON format. We also support MCP (Model Context Protocol), which means you can query BIMI records directly from Claude, Cursor, or other MCP-compatible AI tools without writing integration code. The MCP server returns the same data as the API — including issuer, trademark details, and days until certificate expiry — but you access it through natural language in your AI tool of choice.
VMC and CMC certificates are valid for one year. We recommend setting monitoring alerts at 60 days and 30 days before expiry — renewal takes longer than SSL (especially VMC, which requires re-verification of your trademark). Your BIMI logo will silently disappear the day your certificate expires. Use nslookup.io's monitoring to get automatic alerts before that happens.
Certificate expiry and SVG URL outages kill BIMI logos silently. Set up daily monitoring across all your sending domains and get alerted before anything breaks.
Start free BIMI monitoring →Also check SSL certificates ↗BIMI sits on top of email authentication. These tools help you check the layers beneath it.